Effective date: April 26, 2026
Privacy Policy

1. Introduction

This Privacy Policy describes how MaximusLabs AI, a company incorporated under the laws of India with its registered office at No 132/1, 24th Main Road, Kaveri Nagar, Kurubarahalli, Bengaluru 560086, India ("Maximus Labs," "we," "us," or "our"), collects, uses, stores, shares, and protects personal data when you visit maximuslabs.ai, use the Clients Dashboard at clients.maximuslabs.ai, connect Google Search Console or Google Analytics via our OAuth integration, or otherwise engage with our services. Maximus Labs is a full-stack AI growth marketing agency specializing in Answer Engine Optimization, serving clients in India, the United States, the United Kingdom, the European Economic Area, Israel, and other jurisdictions.

This Policy is designed to comply with the Digital Personal Data Protection Act 2023 (India), the General Data Protection Regulation (EU GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, the Israel Privacy Protection Law (5741-1981, as amended), and other applicable data-protection laws.

By using our services, you acknowledge you have read this Policy. Where processing relies on consent under applicable law (for example, marketing communications, non-essential cookies, and Google OAuth scopes), we collect separate, granular consent at the point of collection.

2. Scope

In this Policy, "Services" has the meaning given in our Terms of Service (Section 2.3), including maximuslabs.ai, clients.maximuslabs.ai, all subdomains, APIs, content, integrations, and associated offerings.

This Policy applies to personal data Maximus Labs processes in the following contexts:

  • Website visitors to maximuslabs.ai and its subdomains
  • Prospects who submit contact forms, book discovery calls, or subscribe to content
  • Active clients and their Authorized Users
  • Users of the Clients Dashboard, including data obtained through Google OAuth (Search Console, Google Analytics) and CMS integrations via [email protected] or Client-issued API credentials
  • Individuals whose personal data appears incidentally within Client-authorized analytics exports

3. Data Controller and Grievance Officer

Data Controller / Data Fiduciary: MaximusLabs AI, No 132/1, 24th Main Road, Kaveri Nagar, Kurubarahalli, Bengaluru 560086, India.

Grievance Officer (DPDP Act 2023), Data Protection Contact, and Privacy Contact:

  • Name: Krishna Kaanth M, Founder & CEO
  • Alternative Channel: Contact form at maximuslabs.ai/contact
  • Address: As above

You may contact the Grievance Officer with any data-protection concern, rights request, or complaint. We will acknowledge receipt promptly and respond within the timelines required by applicable law (typically 30 days).

4. Personal Data We Collect

4.1 From Website Visitors

  • Device and browser information, IP address, pages visited, referrer, session timestamps
  • Cookies and similar technologies (see Section 10)
  • Analytics collected via Google Analytics 4

4.2 From Prospects

  • Name, business email, company name, job title, country
  • Website URL and any details you provide in contact forms, discovery-call bookings, or email correspondence
  • Booking-tool metadata (meeting time, timezone)

4.3 From Active Clients and Authorized Users

  • Contract, billing, and tax information (including entity name, address, tax IDs, invoices, bank wire details)
  • Authorized User identity data (name, email, role, authentication credentials)
  • Founder interviews, brand assets, strategy inputs, and other materials you provide
  • Communications (email, chat, call recordings where consented)

4.4 From Google OAuth Integration (Search Console and Google Analytics)

With your explicit consent via the Google OAuth consent screen, we request the following read-only scopes:

  • https://www.googleapis.com/auth/webmasters.readonly
  • https://www.googleapis.com/auth/analytics.readonly
  • openid, email, profile

Through these scopes we access: authenticated user identity (email, name), Google Search Console property lists, search queries, impressions, clicks, CTR, average position, top pages, and country/device breakdowns; Google Analytics account, property, and view metadata, sessions, users, events, conversions, traffic-source reports, and dimension/metric combinations required to render dashboards. We do not request, and do not have, any write, modify, delete, or publishing permissions on Google user data.

OAuth Verification Status. Our OAuth application for Google Search Console and Google Analytics scopes has completed, or is currently undergoing, Google's OAuth application verification process. Current verification status may be confirmed on request at [email protected].

4.5 From CMS Integration

Through either the [email protected] email invited into your CMS, Client-issued API credentials, or staging API endpoints, we access content, draft articles, media assets, and metadata required to push articles as drafts. We never auto-publish content live.

4.6 From Dashboard Usage

Application logs, audit trails, session data, feature usage events, and error reports to operate and secure the Dashboard.

4.7 From Payments

Invoice, bank wire, and payment-processor metadata. Full payment card numbers are processed by our payment processor and are not stored by Maximus Labs.

5. Why We Process Data (Purposes and Legal Bases)

Purposes of Processing and Legal Bases (GDPR / UK GDPR)
Purpose Categories Legal Basis (GDPR / UK GDPR)
Operate the website and communicate with prospects Website, prospect data Legitimate interests; consent for marketing
Deliver agency services under the MSA Client data, Google API data, CMS data Performance of contract; legitimate interests
Provide the Clients Dashboard and visualizations OAuth data, Dashboard usage data Performance of contract; consent for OAuth scopes
Display client names and logos for marketing Client identity Legitimate interests (with right to object)
Billing, tax compliance, record-keeping Billing and tax records Legal obligation; performance of contract
Secure the services, prevent fraud, audit logs All categories Legitimate interests; legal obligation
Marketing communications Prospect and client contacts Consent; legitimate interests with opt-out
Comply with law, respond to legal process Any as required Legal obligation

Under the India DPDP Act 2023, processing is based on (a) consent, or (b) legitimate uses as defined in Section 7 of the Act. Under CCPA/CPRA, we process personal information as a business. Under Israel PPL, we process data in accordance with the consent and purpose-limitation principles.

6. Google API Services — Limited Use Commitment

Maximus Labs' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not sell Google user data.
  • We do not use Google user data to serve advertising, including retargeting, personalized, or interest-based advertising.
  • We do not use Google user data to train, fine-tune, evaluate, or benchmark generalized or third-party artificial intelligence or machine learning models.
  • We do not allow humans to read Google user data except (i) with the user's affirmative consent for specific data, (ii) as necessary for security purposes (such as investigating abuse), (iii) to comply with applicable law, or (iv) where the data has been aggregated and de-identified.
  • We do not transfer Google user data except as necessary to provide or improve the user-facing features of the Clients Dashboard, to comply with applicable law, or as part of a merger, acquisition, or sale of assets, with notice.

6.1 How Google OAuth Data Is Handled

  • OAuth access and refresh tokens are stored encrypted at rest.
  • Cached GSC and GA data is stored encrypted and accessed only to render visualizations for the authenticated user and their Client organization.
  • Access is restricted to authorized Maximus Labs personnel on a least-privilege basis and logged.
  • Upon OAuth revocation or engagement termination, we purge cached Google user data and tokens within 30 days, subject to backup overwrite schedules that complete within 35 days.
  • You may revoke access at any time via in-Dashboard controls or at https://myaccount.google.com/permissions.

7. How We Share Data (Named Sub-Processors)

We share personal data only with trusted sub-processors who act on our instructions and are bound by data-protection obligations at least as protective as this Policy. Our current named sub-processors are:

Named Sub-Processors and Primary Locations
Sub-processor Purpose Primary Location
Render Application hosting USA
Supabase Managed database and authentication USA / EU
Cloudflare DNS, CDN, WAF, bot-management Global
Resend Transactional email (system, auth, notifications) USA
Google Workspace Internal email, documents, and file storage USA
Google Analytics 4 Website analytics on maximuslabs.ai USA
HDFC Bank and designated payment processor Payment processing (wire and card) India / USA
Anthropic, OpenAI Enterprise LLM APIs, configured to prohibit training on Maximus Labs inputs USA
Sentry Application error monitoring (where used) USA
Cal.com Discovery-call scheduling USA
Client-supplied CMS platforms Integration with Client CMS (e.g., Webflow, WordPress, Shopify, Framer, Ghost, Sanity, Contentful) Varies

The live list of named sub-processors is maintained at maximuslabs.ai/sub-processors and available on request at [email protected]. We will provide 30 days' advance notice of material changes so that Clients with DPA rights may object.

We also disclose data when required by law, valid legal process, to protect rights, property, or safety, or in connection with a corporate transaction, with notice.

We do not sell personal information under CCPA/CPRA, and we do not share personal information for cross-context behavioral advertising.

8. International Data Transfers

Maximus Labs is based in India and serves clients in India, the United States, the United Kingdom, the European Union, Israel, and other jurisdictions. Personal data may be transferred to and processed in countries other than your own, including India, the United States, and the European Economic Area, depending on the location of our sub-processors.

For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable) and, where required, supplementary measures to ensure equivalent protection.

For transfers originating from India, Maximus Labs relies on §16 of the DPDP Act 2023 and the Central Government's notification framework. If the Central Government notifies countries to which transfer is restricted, Maximus Labs will update this Policy and its sub-processor arrangements accordingly.

Clients may request a copy of the applicable transfer mechanism at [email protected].

9. Data Retention

We retain personal data only as long as necessary for the purposes described:

Data Retention Periods by Category
Data Category Retention Period
Website analytics (GA4) Up to 14 months
Prospect inquiries Up to 24 months from last interaction, then deletion unless converted to Client
Client contract, engagement, and deliverable records Duration of engagement + 3 years
Invoices, tax and billing records 6 years from the end of the relevant assessment / financial year (India Income Tax Act §44AA and GST Act §36); 8 years for records subject to Companies Act §128
Google OAuth tokens and cached GSC / GA data Active engagement + 30 days after disconnection or termination
CMS credentials Active engagement + 30 days post-termination
Dashboard usage logs 12 months
Backups 35-day rolling window, then permanent overwrite
Marketing subscribers Until unsubscribe + statutory retention

After the retention period, data is deleted or irreversibly anonymized.

10. Cookies and Similar Technologies

In compliance with the EU ePrivacy Directive and GDPR, we disclose each cookie's name, provider, category, purpose, and duration below. A cookie banner on maximuslabs.ai allows you to accept, reject, or customize non-essential categories.

10.1 maximuslabs.ai

Cookies Used on maximuslabs.ai
Cookie Name Provider Category Purpose Duration
_ga Google Analytics 4 Analytics Distinguishes unique users 2 years
_ga_<container-id> Google Analytics 4 Analytics Session state for GA4 2 years
_gid Google Analytics 4 Analytics Distinguishes unique users (short-term) 24 hours
__cf_bm Cloudflare Essential Bot-management and security 30 minutes
cf_clearance Cloudflare Essential Verifies successful challenge completion 30 days
ml_cookie_consent Maximus Labs Essential Stores your cookie-consent preferences 12 months
_rdt_uuid, fbp Marketing platforms (where used) Marketing Campaign attribution and measurement Up to 13 months

10.2 clients.maximuslabs.ai

Cookies Used on clients.maximuslabs.ai
Cookie Name Provider Category Purpose Duration
sb-access-token Supabase Essential Dashboard authentication Session
sb-refresh-token Supabase Essential Dashboard session refresh 30 days
__cf_bm Cloudflare Essential Bot-management and security 30 minutes
ml_dashboard_session Maximus Labs Essential Session integrity for the Dashboard Session
ml_product_analytics Maximus Labs Product analytics Internal feature-usage measurement (no third-party sharing) 12 months

No marketing cookies are set on clients.maximuslabs.ai. You can manage cookies via your browser settings; blocking essential cookies may prevent the Services from functioning. Engineering conducts a cookie audit before each policy revision; if you identify any cookie not listed above, please contact [email protected] and we will update this table.

11. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — obtain confirmation and a copy of your personal data
  • Correction — rectify inaccurate or incomplete data
  • Deletion / Erasure — request deletion of your data
  • Restriction — restrict certain processing
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests or direct marketing
  • Withdraw Consent — at any time where processing relies on consent, without affecting prior lawful processing
  • Nominate (DPDP Act) — Indian data principals may nominate another individual to exercise rights in the event of death or incapacity
  • Grievance Redressal — lodge a grievance with our Grievance Officer at [email protected]
  • Non-Discrimination (CCPA/CPRA) — California consumers will not be denied service, charged different prices, or offered different quality of service for exercising privacy rights
  • Global Privacy Control (GPC) — we honor Global Privacy Control signals transmitted from your browser as a valid opt-out preference signal under the California Consumer Privacy Act
  • CCPA/CPRA Rights — California consumers have rights to know, delete, correct, and limit use of sensitive personal information; we do not sell or share personal information for cross-context behavioral advertising
  • Lodge a Complaint — with your local supervisory authority (e.g., India's Data Protection Board under DPDP, the ICO in the UK, your EU Data Protection Authority, the Israeli Privacy Protection Authority)

To exercise your rights, contact [email protected]. We will verify your identity and respond within the timelines required by applicable law (typically 30 days, extendable as permitted).

12. Security

Maximus Labs implements administrative, technical, and physical safeguards to protect personal data, including TLS 1.2+ encryption in transit, encryption at rest for credentials, OAuth tokens, and Google user data, least-privilege access controls, audit logging, vulnerability scanning, secure software development practices, and vendor diligence on sub-processors. No system is perfectly secure; you remain responsible for safeguarding your credentials.

Breach notification: In the event of a personal-data breach likely to result in risk to individuals, we will notify affected Clients and competent authorities without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with GDPR, UK GDPR, and the DPDP Act notification requirements. Report suspected incidents to [email protected].

13. Children

The Services are intended for business users aged 18 or older. We do not knowingly process personal data of children as defined under applicable law:

  • India (DPDP Act 2023): under 18 years old
  • EEA / UK (GDPR): under 16 years old (or the applicable lower age of digital consent set by the relevant member state)
  • United States (COPPA): under 13 years old

If we learn we have collected such data, we will delete it promptly.

14. Automated Decision-Making and AI

Maximus Labs uses artificial intelligence and machine learning tools in the course of delivering services (for example, content production, research summarization, and analytics). We do not make solely automated decisions that produce legal or similarly significant effects on individuals. Where AI is involved in analyses, human experts review and direct the output before it reaches a Client.

No training on your data. We configure all third-party LLM/AI APIs we use (including Anthropic and OpenAI) with vendor settings that prohibit training on our inputs, and we do not use Client data or Google user data to train, fine-tune, or evaluate any AI/ML model.

15. Marketing Communications

With your consent or under applicable legitimate-interest bases, we may send you newsletters, product updates, or relevant marketing communications. You can opt out at any time using the unsubscribe link in any email or by contacting [email protected]. Transactional and account-related emails are not marketing and cannot be opted out of while you have an active account.

16. Data Processing Addendum

For Clients who are Data Controllers under GDPR, UK GDPR, or equivalent laws and who require a Data Processing Addendum (DPA) under which Maximus Labs acts as Processor, a DPA incorporating the EU SCCs and UK IDTA is available on written request at [email protected].

17. Publicity of Client Identity

Consistent with standard agency practice, Maximus Labs may display Client names and logos on maximuslabs.ai and in marketing materials, decks, proposals, and investor updates, under our legitimate interests in promoting our agency services and demonstrating track record. Clients may object at any time by written request to [email protected]; Maximus Labs will remove the identified Client reference within 30 days of receipt. Detailed case studies containing specific performance metrics are published only with the Client's prior written approval of the specific content.

18. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by updating the "Last Updated" date and version number, posting a notice on maximuslabs.ai/privacy, and, for significant changes, sending email notification to Clients and subscribers at least 30 days in advance. Your continued use after the effective date constitutes acceptance.

19. Contact

For any question, rights request, or complaint:

  • Contact Form: maximuslabs.ai/contact
  • Registered Office: MaximusLabs AI, No 132/1, 24th Main Road, Kaveri Nagar, Kurubarahalli, Bengaluru 560086, India
  • Website: https://maximuslabs.ai
  • Clients Dashboard: https://clients.maximuslabs.ai